Inserting text fails for some string values but not for others

Question

String addQuer = "INSERT INTO emaildata VALUES('" + email + "','" + fname + "','" + lname + "','" + subject + "','" + content + "')";
        statement.execute(addQuer);

I have the above code that inserts data into the table. I am using MS Access database. All the fields are of type (Long Text). The query works fine when i insert the following dataset

1. email = SALMAN MAJID
2. Salman
3. Majid
4. Test Mail
5. mY nAME iS sALMAN.

But the same query gives error when i use the following data set in the last field. The error is Syntax error Missing Operator.... Please don't mind for such long text because this text gives the error so i posted the whole text.

java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Get the free Outlook app.

We've upgraded the Outlook app to be faster and easier to use. No matter which email services you use'.

1. "Outlook.com"
2. Not Available
3. Not Available
4. Download Now: Outlook app

5. Get the free Outlook app.

   We've upgraded the Outlook app to be faster and easier to use. No matter which email services you use, the Outlook app lets you do more.

[Download Outlook.] http://communication.microsoft.com/Key-6859501.C.ChVBd.C.K4.-.HJ67kt

The field 5 ends here. The above text is long but i could not paste the whole text. But the error is in this text that i posted.

Answer 1

You are suffering from "SQL injection" problems. Text containing a single quote (e.g., "We've ...") will cause your SQL command to be invalid. You need to use a parameterized query, which would look something like this:

String addQuer = "INSERT INTO emaildata VALUES (?,?,?,?,?)";
PreparedStatement ps = conn.prepareStatement(addQuer);
ps.setString(1, email);
ps.setString(2, fname);
ps.setString(3, lname);
ps.setString(4, subject);
ps.setString(5, content);
ps.executeUpdate();